Preventing Sophisticated Phishing and MFA Bypass in Entra ID
Sophisticated Phishing Attack Bypasses Microsoft ADFS MFA
A new phishing campaign has been observed targeting organizations using Microsoft Active Directory Federation Services (ADFS), leveraging spoofed login pages to steal credentials and bypass multi-factor authentication (MFA). This attack exploits ADFS, a single sign-on (SSO) solution that allows users to authenticate across multiple applications with a single set of credentials. Threat actors craft highly convincing phishing pages that mirror the legitimate ADFS login portals of targeted organizations, tricking users into submitting their credentials and MFA details.
Image courtesy of Infosecurity Magazine
How the Attack Works
Cybercriminals execute this attack in multiple stages:
- Phishing email: Spoofed emails, appearing to be from the organization’s IT department, prompt users to visit a fraudulent ADFS login page.
- Credential harvesting: The phishing site collects usernames, passwords, and MFA codes.
- Account takeover: Attackers use stolen credentials to access the organization’s network, conduct lateral phishing, and perform financial fraud.
Organizations are particularly vulnerable if they have legacy authentication systems like ADFS, as many have yet to transition to modern identity solutions. Security experts recommend a multi-layered defense strategy, which includes migrating to platforms like Microsoft Entra, strengthening security awareness training, and implementing advanced detection tools.
For more on phishing tactics and protective measures, see Cyber Threat Intelligence Review: Preparing for 2025.
Thwarting Evilginx Attacks on Microsoft Entra ID
Evilginx is a phishing tool that bypasses MFA by intercepting user logins, stealing credentials, and session cookies, allowing attackers to hijack accounts. Originally a pen-testing tool, Evilginx has evolved into a sophisticated phishing framework targeting platforms like Microsoft Entra ID.
The Evolution of Evilginx
Evilginx operates as an adversary-in-the-middle proxy, intercepting and manipulating communication between users and legitimate sites. It captures session cookies after authentication is complete, granting attackers unauthorized access to accounts. This makes it a particularly effective tool for targeting Microsoft Entra ID environments.
Image courtesy of HYPR
How Evilginx Works
- Phishing lure: The attacker entices the victim to click a phishing link.
- Fraudulent site: The phishing page mimics a legitimate login page and collects credentials.
- Credential harvesting: Evilginx captures the entered credentials and forwards them to the real service.
- Session hijacking: If authentication is successful, Evilginx intercepts session credentials, allowing attackers access.
To combat Evilginx, organizations should adopt FIDO passkeys for authentication, as they ensure that authentication attempts will only succeed if the domain matches the registered passkey. This renders tools like Evilginx ineffective.
For a deeper dive into protecting against Evilginx attacks, visit HYPR.
Session Hijacking 2.0 — The Latest Way That Attackers are Bypassing MFA
Attackers are increasingly turning to session hijacking to bypass widespread MFA adoption. In 2023, Microsoft detected 147,000 token replay attacks, a 111% increase year-over-year. Modern session hijacking targets cloud-based apps and services, stealing session materials like cookies and tokens.
Image courtesy of The Hacker News
Why Attackers Want to Steal Your Sessions
Stealing live sessions allows attackers to bypass authentication controls like MFA. If an attacker hijacks an existing session, they face fewer steps compared to converting stolen usernames and passwords into authenticated sessions.
Modern session hijacking employs tools such as adversary-in-the-middle (AitM) and browser infostealers, targeting session cookies alongside traditional credential material. This flexibility widens the attack surface.
To learn more about the state of identity attacks, check out Push Security.
Require Phishing-Resistant Multifactor Authentication for Microsoft Entra Administrator Roles
Accounts with privileged administrative roles are frequent targets for attackers. Implementing phishing-resistant multifactor authentication (MFA) on these accounts can significantly reduce the risk of compromise.
Microsoft recommends requiring phishing-resistant MFA on roles such as Global Administrator, Application Administrator, and Security Administrator. Before creating policies, ensure that administrators have appropriate methods registered to avoid locking themselves out.
For a complete guide on configuring these policies, visit Microsoft Learn.
Authentication Strength
Microsoft Entra ID provides built-in authentication strengths, including:
- Multifactor authentication strength
- Passwordless MFA strength
- Phishing-resistant MFA strength (most restrictive)
Organizations can use these authentication strengths to create a robust MFA policy tailored to their environment.
Organizations should also exclude emergency access accounts from these policies to prevent lockout due to misconfiguration.
How Hackers Bypass Microsoft Azure AD Conditional Access
Microsoft Azure Active Directory’s Conditional Access aims to protect companies by restricting access based on defined policies. However, hackers have discovered methods to bypass these protections.
Steps for Bypassing Conditional Access
- Obtaining credentials: Attackers use phishing, purchases on the dark web, or brute force techniques.
- Exclusion groups: Maintaining these groups is crucial to avoid vulnerabilities.
- Bypassing access conditions: Hackers can imitate user behavior and use VPNs to bypass location restrictions.
Bypassing Access Controls
Multi-factor authentication (MFA) is a common access control, but attackers can bypass it through man-in-the-middle attacks and social engineering tactics. Effective setup and continuous monitoring of Conditional Access policies are essential to maintaining security.
For a deeper understanding of Azure AD Conditional Access, visit Mantra.
Explore how to secure your organization with MojoAuth and integrate passwordless authentication solutions for web and mobile applications, ensuring a smooth and secure login experience.
*** This is a Security Bloggers Network syndicated blog from MojoAuth – Go Passwordless authored by Devesh Patel. Read the original post at: https://mojoauth.com/blog/preventing-sophisticated-phishing-and-mfa-bypass-in-entra-id/
